Note that I'm creating all of this using the OS_TOKEN instead of going
through the API. I wonder if that is causing the issue?
So far, my suspicions are that IDv3 with domains isn't fully baked in the
Mitaka bits.
On Fri, Aug 19, 2016 at 3:19 PM, Nick Papadonis <npapado...@gmail.com>
wrote:
> Hi Folks,
>
> I'm playing with IDv3 in Mitaka and it doesn't seem to work as I'd
> expect. Hopefully I'm understanding the way domains work. The strategy is
> to create a top level cloud_admin_dom and super user. Then create a
> default domain and admin user and default project and admin user. Then
> create another dom_0001 to test projects in a different domain.
>
> The cloud_admin user works fine and appears to have privileges to do most
> things. Now, when I use the default domain admin user or default domain
> default project admin user, I either get authentication issues from
> Keystone or the policy json isn't allowing the default domain admin (not in
> a project) to do things like list projects or users. It appears folks have
> used this a few different ways and appreciate insight from your experience.
>
> As I understand the process (please correct me) is:
>
> function get_id () {
> echo `"$@" | grep ' id ' | awk '{print $4}'`
> }
>
> # Create admin role
> admin_role_id=$(get_id openstack role create admin)
>
> # Create Cloud Admin Domain
> cloud_admin_dom_id=$(get_id openstack domain create \
> --description "Cloud Admin Domain" cloud_admin_dom)
>
> # Update policy for domain ID
> cat /etc/keystone/policy.v3cloudsample.json | \
> sed -e "s/admin_domain_id/${cloud_admin_dom_id}/g" >
> /etc/keystone/policy.json
>
> # Create admin user for cloud admin domain
> cloud_admin_user_id=$(get_id openstack user create \
> --password secrete \
> --domain "${cloud_admin_dom_id}" \
> --description "Cloud Admin Domain Admin" \
> admin_cloud_admin_dom)
>
> # Assign admin role to admin user
> openstack role add --domain "${cloud_admin_dom_id}" \
> --user "${cloud_admin_user_id}" \
> "${admin_role_id}"
>
> # Create default domain (for legacy services)
> def_dom_id=$(get_id openstack domain create \
> --description "Default Domain" default)
>
> # Create admin user for default domain
> def_user_id=$(get_id openstack user create \
> --password secrete \
> --domain "${def_dom_id}" \
> --description "Default Domain Admin" \
> admin_default_dom)
>
> # Assign admin role to admin user
> openstack role add --domain "${def_dom_id}" \
> --user "${def_user_id}" \
> --inherited \
> "${admin_role_id}"
>
> # Create default project in default domain (for legacy services)
> project_id=$(get_id openstack project create "${DEFAULT_PROJECT}" \
> --description "Default Project" --domain "${cloud_admin_dom_id}"
> --enable)
>
> # Create admin user for default project in default domain
> user_id=$(get_id openstack user create admin_dom_default_proj_default \
> --project "${project_id}" \
> --password secrete \
> --domain "${def_dom_id}")
>
> # Assign admin role to admin user in default domain and default project
> openstack role add --project "${project_id}" \
> --user "${user_id}" \
> --inherited \
> "${admin_role_id}"
>
> # Create service role
> service_role_id=$(get_id openstack role create service)
>
> # Create service project in default domain
> project_id=$(get_id openstack project create service \
> --description "Service Tenant" --domain "${def_dom_id}" --enable)
>
> # Create service project admin in default domain
> user_id=$(get_id openstack user create admin_default_dom_proj_service \
> --project "${project_id}" \
> --password secrete \
> --domain "${def_dom_id}")
>
> # Assign admin role to admin user in service project
> openstack role add --domain "${def_dom_id}" \
> --user "${user_id}" \
> --inherited \
> "${admin_role_id}"
>
> # First other Domain - dom_0001
> dom_id=$(get_id openstack domain create \
> --description "Default Domain" dom_0001
>
> # Create admin user for dom_0001
> user_id=$(get_id openstack user create \
> --password secrete \
> --domain "${dom_id}" \
> --description "dom_0001 Admin" \
> admin_dom_0001)
>
> # Assign admin role to admin_dom_0001 in domain dom_0001
> openstack role add --domain "${dom_id}" \
> --user "${user_id}" \
> --user-domain "${dom_id}" \
> --inherited \
> "${admin_role_id}"
>
> ==
>
> Also note, when adding:
> #--project-domain "${cloud_admin_dom_id}" \
> #--user-domain "${def_dom_id}" \
>
> to openstack role add, I'm finding that OSC complains the user ID doesn't
> exist in that specified domain, when OSC user list --log shows it does. Odd
>
> Thanks,
> Nick
>
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
